(feat) only allow master key to update users

2024-02-03 14:16:14 -08:00 · 2024-02-03 14:16:14 -08:00 · 44b6c73351
commit 44b6c73351
parent 78b899dc1d
1 changed files with 5 additions and 1 deletions
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@ -554,7 +554,6 @@ async def user_api_key_auth(
                        db=custom_db_client,
                    )
                )
-
            if (
                route.startswith("/key/")
                or route.startswith("/user/")
@ -589,6 +588,11 @@ async def user_api_key_auth(
                            status_code=status.HTTP_403_FORBIDDEN,
                            detail="user not allowed to access this key's info",
                        )
+                elif route == "/user/update":
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        detail="only proxy admin can update user settings. Tried calling `/user/update`",
+                    )
                elif route == "/model/info":
                    # /model/info just shows models user has access to
                    pass